Lokjaw
Virus.DOS.Lokjaw is a dangerous memory resident file companion / infector virus on DOS. Disabling or deleting MSAV and MWAV is the characteristic of this family. There are 30 variants in 6 versions, represented by the following: *Virus.DOS.Lokjaw.482 *VIrus.DOS.Lokjaw.512 *Virus.DOS.Lokjaw.804 *Virus.DOS.Lokjaw.874 *Virus.DOS.Lokjaw.893 *Virus.DOS.Lokjaw.1041 There are additional 11 variants which are also belong to this family. Behavior Lokjaw.482...808, 890, 893, 894 and 898 When the virus is loaded into memory, it searches for EXE executable files that are run, and then place a DOS executable having the same name of that program, which is the virus itself. Lokjaw.804 and 808 would set these companion files attribute as hidden system so that the user can find them only on running ATTRIB. Lokjaw.874 and 877 These variants are more dangerous than the others. They search for every DOS executable and then rename the extension to "CON", after that they place companion files to these filenames, and activate immediately. The companion files are also set as hidden system files. Before infection: PROGRAM.COM After infection: PROGRAM.COM (hidden, the virus itself) PROGRAM.CON (the original program) Lokjaw.1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058 Instead of placing companion files, these variants infect DOS executables when they are in memory. For Lokjaw.1041, any program that infected by this variant will no longer function properly and result a system hang. Advanced details The following table shows the memory usage of the variants. MD5 hash: Payload The virus activates when the user attempts to run MSAV or MWAV, except Lokjaw.874 and 877. Lokjaw.482...507, 518...571 These variants hang or even crash the system on activation. Lokjaw.512 In addition of hanging the system, this variant also destroys file allocation table. Lokjaw.804, 808, 890, 894, 1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058 These variants turn the screen black with two lines, which looks like to turn off an old TV, deletes that program and hang the system. Lokjaw.874 and 877 These variants delete the files in absolute path, followed by hanging the system: C:\DOS\MSAV.EXE C:\DOS\MWAV.EXE C:\DOS\VSAFE.COM (failed) The VSAFE.COM was not deleted in actual due to the fault in execution sequence, the file deletion is executed after renaming the files to CON extension and before dropping companion files, resulting a "File not found" during this operation. They also corrupt CMOS memory, resulting all settings to loss. The system might fail to recognize COMMAND.COM after the second reset as it has been replaced by the virus, and the original program has been renamed to "COMMAND.CON". Lokjaw.893 and 898 These variants turn the screen black with two lines and hang the system without deleting the program. Variants This family has 41 variants in total: *Virus.DOS.Lokjaw.482 *Virus.DOS.Lokjaw.484 *Virus.DOS.Lokjaw.493 (A and B) *Virus.DOS.Lokjaw.495 *Virus.DOS.Lokjaw.499 *Virus.DOS.Lokjaw.501 *Virus.DOS.Lokjaw.507 *VIrus.DOS.Lokjaw.512 *Virus.DOS.Lokjaw.518 *Virus.DOS.Lokjaw.520 (plus B) *Virus.DOS.Lokjaw.522 *Virus.DOS.Lokjaw.571 *Virus.DOS.Lokjaw.804 *Virus.DOS.Lokjaw.808 *Virus.DOS.Lokjaw.874 *Virus.DOS.Lokjaw.877 *Virus.DOS.Lokjaw.890 *Virus.DOS.Lokjaw.893 *Virus.DOS.Lokjaw.894 *Virus.DOS.Lokjaw.898 *Virus.DOS.Lokjaw.1041 *Virus.DOS.Lokjaw.1046 *Virus.DOS.Lokjaw.1047 *Virus.DOS.Lokjaw.1048 *Virus.DOS.Lokjaw.1050 *Virus.DOS.Lokjaw.1052 *Virus.DOS.Lokjaw.1053 *Virus.DOS.Lokjaw.1058 *Virus.DOS.Lokjaw.Firefly (5 variants) *Virus.DOS.Lokjaw.Kenson (2 variants) *Virus.DOS.Lokjaw.Pfeiffer.1203 *Virus.DOS.Lokjaw.Scramble (3 variants) Other details When there is a variant of this virus in memory, on running another variant the new one unloads the previous one and then installs itself into memory. Lokjaw.482...522 contain the internal text strings: EXE COM Lokjaw.493.a also contains the internal text string: loulou Lokjaw.493.b also contains the internal text string: Arclight Lokjaw.495 also contains the internal text string: JKLS CAT Lokjaw.499 also contains the internal text string: Good Night Lokjaw.501 also contains the internal text strings: SLEEPWALKER MSDOS6 There exists another 501-byte variant having different internal text strings: PET CEMETERY MSDOS6 But this one fails to execute due to the character "Y". Lokjaw.507 also contains the internal text strings: Starry Night Bornio Baby Lokjaw.512 also contains the internal text string: TAIPEI11-30-1998/BlackJack-XEXE Lokjaw.518, 520, 520.b and 522 also contain the internal text strings: Black Knight Tempest - _ Of Luxenburg Lokjaw.571 contains the internal text strings: [ Its the KenSON III virus ] For My Very Best Friend By Lobo 435 of Covina CA... Lokjaw.804, 808, 890 and 894 contain the internal text strings: EXE COM Lokjaw-Zwei Lokjaw.874 and 877 contain the internal text strings: The Chomper virus by AITH viral Dept. *.COM Lokjaw-Routine C:\dos\mwav.exe C:\dos\msav.exe C:\dos\vsafe.com Lokjaw.893 and 898 contain the internal text strings: EXE COM Lokjaw-Drei Lokjaw.1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058 contain the internal text string: CDMZ Lokjaw.1047 and 1052 also contain the internal text string: KenSON IV Infection Module VIRUS Proto-T Variant 94/Lobo/435 Thanks To Brian! - BF zh:Lokjaw Category:DOS virus Category:DOS Category:Virus Category:TSR Category:Assembly